# QR Code Scams on Business Cards: What to Check Before You Scan > Business card QR codes feel trustworthy because someone handed them to you in person — but scammers exploit exactly that trust. Here's how fraudulent business card QR codes work and how to check before your browser opens anything. URL: https://www.qrsafer.com/blog/business-card-qr-code-scams Published: 2026-05-05 --- Business cards with QR codes feel like a modern convenience — scan once and you're connected to someone's LinkedIn, website, or contact details. That sense of effortless professionalism is why scammers have started printing them too. The core exploit is straightforward: a business card is a physical object that creates an in-person trust cue. You received it from a human being. Your guard is lower than it would be for a link in a cold email. Scammers design their cards to look real precisely because the context does half the work for them. ## 1. The fake LinkedIn login redirect The most common business card QR scam targets professionals at networking events. The card looks legitimate — it carries a name, title, company logo, and a QR code labeled "Connect on LinkedIn" or "View my profile." But the code doesn't go to linkedin.com. It goes to something like `linkedin-profile-connect.com` — a near-perfect visual copy of the LinkedIn login page. When you enter your email and password, those credentials are sent directly to the attacker. They now have access to your LinkedIn account, your contacts, your DMs, and any connected applications. **What to look for:** Before your browser renders anything, use QRsafer to see the full URL. The only legitimate LinkedIn domain is `linkedin.com`. Any variation — hyphenated versions, extra words, different TLDs — is fraudulent. ## 2. Cards left in public places Business cards placed in coffee shops, laundromats, libraries, college bulletin boards, and gym locker rooms are a separate category of risk. There's no human interaction to anchor the context, which means there's also no accountability. These cards often advertise services: "freelance design," "crypto investment coaching," "local handyman." The QR code leads to a phishing page that asks for your name, email, and sometimes payment details to "book a consultation" or "claim a discount." Some cards are more aggressive and trigger a download — malware disguised as a portfolio, price list, or business app. **What to look for:** Any QR code on an unmanned card found in a public place should be treated like a link in an unsolicited email. Scan with QRsafer to preview the URL before loading it. If the destination asks you to log in, install anything, or enter payment details before showing you any legitimate content, close it immediately. ## 3. WhatsApp Business QR codes that add you to fraud groups WhatsApp Business allows businesses to create QR codes that, when scanned, open a chat with the business account. Scammers have adapted this feature: their card QR code doesn't open a chat with a real business — it adds you to a WhatsApp group controlled by a fraud ring. These groups typically run investment scams (often called "pig butchering"), fake job offers, or cryptocurrency giveaway schemes. The initial contact feels organic because you're now in a group with what appear to be real people discussing real opportunities. **What to look for:** A URL beginning with `wa.me/` is a WhatsApp link. It may be legitimate — but if the business card doesn't clearly describe a WhatsApp-based service, and if the URL includes group invite parameters rather than a simple phone number, be cautious. You can always verify the business through an independent search before scanning. ## 4. vCard downloads containing malware Some business card QR codes trigger an automatic download of a vCard (`.vcf`) file — a standard format for saving contact information. The legitimate version saves a person's name, phone, and email to your contacts. The malicious version embeds an exploit in the file that targets known vulnerabilities in mobile contact-import systems. In more targeted attacks, the "vCard" is actually a renamed executable or a file containing a script. These are less common than phishing redirects but represent a real risk, particularly on older Android devices. **What to look for:** If scanning a business card QR code immediately triggers a file download rather than opening a webpage, that's unusual. Inspect the filename and extension before opening. A legitimate vCard is a `.vcf` file of a few kilobytes. Any other extension, or a file that's unusually large, warrants caution. ## 5. How real professionals use QR codes on cards Understanding the legitimate use case helps you identify when something is off. Real business card QR codes go to one of a small number of destinations: the person's company website, their LinkedIn profile, a digital business card platform (HiHello, Blinq, Popl), or a vCard download. The URL is typically short, uses the company's primary domain or a known third-party platform, and doesn't ask you to log in or install anything before seeing contact information. Scam business cards fail this test in predictable ways: the URL is unfamiliar, the domain doesn't match the company name, or the page asks for credentials immediately rather than showing you the person's information. ## How to scan business card QR codes safely The single most effective habit is scanning with QRsafer before your browser acts on the code. QRsafer shows you the full destination URL, safety rating, and any redirect chain before anything loads. That preview window — which takes under two seconds — is often the only moment you have to catch a redirect before it's too late. Beyond that: - At networking events, save business cards to scan later when you're not distracted. - For cards found in public, apply the same skepticism you'd give an unsolicited email link. - If a URL doesn't match the company name on the card, don't proceed. - If a page asks you to log in or install something before showing contact details, it's a red flag. For more on QR code attacks that target professionals, see our guides on [LinkedIn QR code scams](/linkedin-qr-code-scam) and [fake Wi-Fi QR code scams](/blog/fake-wifi-qr-code-scam). **Download QRsafer** — available for [iOS](https://apps.apple.com/app/qrsafer/id6743708403) and [Android](https://play.google.com/store/apps/details?id=com.bedrockdigitalsolutions20.qrsafer) — and preview every QR code before your browser does.